Главная Обзор Помощь
Регистрация Вход
186-template-175
/
mini-starter
ответвлено от 155-template-138/mini-starter
2
0
Ответвить 0
Файлы
Дерево: ce1cdeb332
Ветки Метки
mini-starter
/
packages
/
shared-crud
/
tests
/
integration
/
data-permission.integration.test.ts

data-permission.integration.test.ts 14 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487 
  1. import { describe, it, expect, beforeEach, vi, afterEach } from 'vitest';
    2. 

  2. import { testClient } from 'hono/testing';
    3. 

  3. import { IntegrationTestDatabase, setupIntegrationDatabaseHooksWithEntities } from '@d8d/shared-test-util';
    4. 

  4. import { JWTUtil } from '@d8d/shared-utils';
    5. 

  5. import { z } from '@hono/zod-openapi';
    6. 

  6. import { createCrudRoutes } from '../../src/routes/generic-crud.routes';
    7. 

  7. import { Entity, PrimaryGeneratedColumn, Column } from 'typeorm';
    8. 

  8. 

  9. // 测试用户实体
    10. 

  10. @Entity()
    11. 

  11. class TestUser {
    12. 

  12.   @PrimaryGeneratedColumn()
    13. 

  13.   id!: number;
    14. 

  14. 

  15.   @Column('varchar')
    16. 

  16.   username!: string;
    17. 

  17. 

  18.   @Column('varchar')
    19. 

  19.   password!: string;
    20. 

  20. 

  21.   @Column('varchar')
    22. 

  22.   nickname!: string;
    23. 

  23. 

  24.   @Column('varchar')
    25. 

  25.   registrationSource!: string;
    26. 

  26. }
    27. 

  27. 

  28. // 测试实体类
    29. 

  29. @Entity()
    30. 

  30. class TestEntity {
    31. 

  31.   @PrimaryGeneratedColumn()
    32. 

  32.   id!: number;
    33. 

  33. 

  34.   @Column('varchar')
    35. 

  35.   name!: string;
    36. 

  36. 

  37.   @Column('int')
    38. 

  38.   userId!: number;
    39. 

  39. 

  40.   @Column('int', { nullable: true })
    41. 

  41.   createdBy?: number;
    42. 

  42. 

  43.   @Column('int', { nullable: true })
    44. 

  44.   updatedBy?: number;
    45. 

  45. }
    46. 

  46. 

  47. // 定义测试实体的Schema
    48. 

  48. const createTestSchema = z.object({
    49. 

  49.   name: z.string().min(1, '名称不能为空'),
    50. 

  50.   userId: z.number().optional()
    51. 

  51. });
    52. 

  52. 

  53. const updateTestSchema = z.object({
    54. 

  54.   name: z.string().min(1, '名称不能为空').optional()
    55. 

  55. });
    56. 

  56. 

  57. const getTestSchema = z.object({
    58. 

  58.   id: z.number(),
    59. 

  59.   name: z.string(),
    60. 

  60.   userId: z.number(),
    61. 

  61.   createdBy: z.number().optional(),
    62. 

  62.   updatedBy: z.number().optional()
    63. 

  63. });
    64. 

  64. 

  65. const listTestSchema = z.object({
    66. 

  66.   id: z.number(),
    67. 

  67.   name: z.string(),
    68. 

  68.   userId: z.number(),
    69. 

  69.   createdBy: z.number().optional(),
    70. 

  70.   updatedBy: z.number().optional()
    71. 

  71. });
    72. 

  72. 

  73. // 设置集成测试钩子
    74. 

  74. setupIntegrationDatabaseHooksWithEntities([TestUser, TestEntity])
    75. 

  75. 

  76. describe('共享CRUD数据权限控制集成测试', () => {
    77. 

  77.   let client: any;
    78. 

  78.   let testToken1: string;
    79. 

  79.   let testToken2: string;
    80. 

  80.   let testUser1: TestUser;
    81. 

  81.   let testUser2: TestUser;
    82. 

  82. 

  83.   beforeEach(async () => {
    84. 

  84.     // 获取数据源
    85. 

  85.     const dataSource = await IntegrationTestDatabase.getDataSource();
    86. 

  86. 

  87.     // 创建测试用户1
    88. 

  88.     const userRepository = dataSource.getRepository(TestUser);
    89. 

  89.     testUser1 = userRepository.create({
    90. 

  90.       username: `test_user_1_${Date.now()}`,
    91. 

  91.       password: 'test_password',
    92. 

  92.       nickname: '测试用户1',
    93. 

  93.       registrationSource: 'web'
    94. 

  94.     });
    95. 

  95.     await userRepository.save(testUser1);
    96. 

  96. 

  97.     // 创建测试用户2
    98. 

  98.     testUser2 = userRepository.create({
    99. 

  99.       username: `test_user_2_${Date.now()}`,
    100. 

  100.       password: 'test_password',
    101. 

  101.       nickname: '测试用户2',
    102. 

  102.       registrationSource: 'web'
    103. 

  103.     });
    104. 

  104.     await userRepository.save(testUser2);
    105. 

  105. 

  106.     // 生成测试用户的token
    107. 

  107.     testToken1 = JWTUtil.generateToken({
    108. 

  108.       id: testUser1.id,
    109. 

  109.       username: testUser1.username,
    110. 

  110.       roles: [{name:'user'}]
    111. 

  111.     });
    112. 

  112. 

  113.     testToken2 = JWTUtil.generateToken({
    114. 

  114.       id: testUser2.id,
    115. 

  115.       username: testUser2.username,
    116. 

  116.       roles: [{name:'user'}]
    117. 

  117.     });
    118. 

  118. 

  119.     // 创建测试路由 - 启用数据权限控制
    120. 

  120.     const testRoutes = createCrudRoutes({
    121. 

  121.       entity: TestEntity,
    122. 

  122.       createSchema: createTestSchema,
    123. 

  123.       updateSchema: updateTestSchema,
    124. 

  124.       getSchema: getTestSchema,
    125. 

  125.       listSchema: listTestSchema,
    126. 

  126.       dataPermission: {
    127. 

  127.         enabled: true,
    128. 

  128.         userIdField: 'userId'
    129. 

  129.       }
    130. 

  130.     });
    131. 

  131. 

  132.     client = testClient(testRoutes);
    133. 

  133.   });
    134. 

  134. 

  135.   describe('GET / - 列表查询权限过滤', () => {
    136. 

  136.     it('应该只返回当前用户的数据', async () => {
    137. 

  137.       // 创建测试数据
    138. 

  138.       const dataSource = await IntegrationTestDatabase.getDataSource();
    139. 

  139.       const testRepository = dataSource.getRepository(TestEntity);
    140. 

  140. 

  141.       // 为用户1创建数据
    142. 

  142.       const user1Data1 = testRepository.create({
    143. 

  143.         name: '用户1的数据1',
    144. 

  144.         userId: testUser1.id
    145. 

  145.       });
    146. 

  146.       await testRepository.save(user1Data1);
    147. 

  147. 

  148.       const user1Data2 = testRepository.create({
    149. 

  149.         name: '用户1的数据2',
    150. 

  150.         userId: testUser1.id
    151. 

  151.       });
    152. 

  152.       await testRepository.save(user1Data2);
    153. 

  153. 

  154.       // 为用户2创建数据
    155. 

  155.       const user2Data = testRepository.create({
    156. 

  156.         name: '用户2的数据',
    157. 

  157.         userId: testUser2.id
    158. 

  158.       });
    159. 

  159.       await testRepository.save(user2Data);
    160. 

  160. 

  161.       // 用户1查询列表
    162. 

  162.       const response = await client.index.$get({
    163. 

  163.         query: {}
    164. 

  164.       }, {
    165. 

  165.         headers: {
    166. 

  166.           'Authorization': `Bearer ${testToken1}`
    167. 

  167.         }
    168. 

  168.       });
    169. 

  169. 

  170.       console.debug('列表查询响应状态:', response.status);
    171. 

  171.       expect(response.status).toBe(200);
    172. 

  172. 

  173.       if (response.status === 200) {
    174. 

  174.         const data = await response.json();
    175. 

  175.         expect(data).toHaveProperty('data');
    176. 

  176.         expect(Array.isArray(data.data)).toBe(true);
    177. 

  177.         expect(data.data).toHaveLength(2); // 应该只返回用户1的2条数据
    178. 

  178. 

  179.         // 验证所有返回的数据都属于用户1
    180. 

  180.         data.data.forEach((item: any) => {
    181. 

  181.           expect(item.userId).toBe(testUser1.id);
    182. 

  182.         });
    183. 

  183.       }
    184. 

  184.     });
    185. 

  185. 

  186.     it('应该拒绝未认证用户的访问', async () => {
    187. 

  187.       const response = await client.index.$get({
    188. 

  188.         query: {}
    189. 

  189.       });
    190. 

  190.       expect(response.status).toBe(401);
    191. 

  191.     });
    192. 

  192.   });
    193. 

  193. 

  194.   describe('POST / - 创建操作权限验证', () => {
    195. 

  195.     it('应该成功创建属于当前用户的数据', async () => {
    196. 

  196.       const createData = {
    197. 

  197.         name: '测试创建数据',
    198. 

  198.         userId: testUser1.id // 用户ID与当前用户匹配
    199. 

  199.       };
    200. 

  200. 

  201.       const response = await client.index.$post({
    202. 

  202.         json: createData
    203. 

  203.       }, {
    204. 

  204.         headers: {
    205. 

  205.           'Authorization': `Bearer ${testToken1}`
    206. 

  206.         }
    207. 

  207.       });
    208. 

  208. 

  209.       console.debug('创建数据响应状态:', response.status);
    210. 

  210.       expect(response.status).toBe(201);
    211. 

  211. 

  212.       if (response.status === 201) {
    213. 

  213.         const data = await response.json();
    214. 

  214.         expect(data).toHaveProperty('id');
    215. 

  215.         expect(data.name).toBe(createData.name);
    216. 

  216.         expect(data.userId).toBe(testUser1.id);
    217. 

  217.       }
    218. 

  218.     });
    219. 

  219. 

  220.     it('应该拒绝创建不属于当前用户的数据', async () => {
    221. 

  221.       const createData = {
    222. 

  222.         name: '测试创建数据',
    223. 

  223.         userId: testUser2.id // 用户ID与当前用户不匹配
    224. 

  224.       };
    225. 

  225. 

  226.       const response = await client.index.$post({
    227. 

  227.         json: createData
    228. 

  228.       }, {
    229. 

  229.         headers: {
    230. 

  230.           'Authorization': `Bearer ${testToken1}`
    231. 

  231.         }
    232. 

  232.       });
    233. 

  233. 

  234.       console.debug('创建无权数据响应状态:', response.status);
    235. 

  235.       expect(response.status).toBe(500); // 权限验证失败会抛出错误
    236. 

  236. 

  237.       if (response.status === 500) {
    238. 

  238.         const data = await response.json();
    239. 

  239.         expect(data.message).toContain('无权');
    240. 

  240.       }
    241. 

  241.     });
    242. 

  242.   });
    243. 

  243. 

  244.   describe('GET /:id - 获取详情权限验证', () => {
    245. 

  245.     it('应该成功获取属于当前用户的数据详情', async () => {
    246. 

  246.       // 先创建测试数据
    247. 

  247.       const dataSource = await IntegrationTestDatabase.getDataSource();
    248. 

  248.       const testRepository = dataSource.getRepository(TestEntity);
    249. 

  249.       const testData = testRepository.create({
    250. 

  250.         name: '测试数据详情',
    251. 

  251.         userId: testUser1.id
    252. 

  252.       });
    253. 

  253.       await testRepository.save(testData);
    254. 

  254. 

  255.       const response = await client[':id'].$get({
    256. 

  256.         param: { id: testData.id }
    257. 

  257.       }, {
    258. 

  258.         headers: {
    259. 

  259.           'Authorization': `Bearer ${testToken1}`
    260. 

  260.         }
    261. 

  261.       });
    262. 

  262. 

  263.       console.debug('获取详情响应状态:', response.status);
    264. 

  264.       expect(response.status).toBe(200);
    265. 

  265. 

  266.       if (response.status === 200) {
    267. 

  267.         const data = await response.json();
    268. 

  268.         expect(data.id).toBe(testData.id);
    269. 

  269.         expect(data.name).toBe(testData.name);
    270. 

  270.         expect(data.userId).toBe(testUser1.id);
    271. 

  271.       }
    272. 

  272.     });
    273. 

  273. 

  274.     it('应该拒绝获取不属于当前用户的数据详情', async () => {
    275. 

  275.       // 先创建属于用户2的数据
    276. 

  276.       const dataSource = await IntegrationTestDatabase.getDataSource();
    277. 

  277.       const testRepository = dataSource.getRepository(TestEntity);
    278. 

  278.       const testData = testRepository.create({
    279. 

  279.         name: '用户2的数据',
    280. 

  280.         userId: testUser2.id
    281. 

  281.       });
    282. 

  282.       await testRepository.save(testData);
    283. 

  283. 

  284.       // 用户1尝试获取用户2的数据
    285. 

  285.       const response = await client[':id'].$get({
    286. 

  286.         param: { id: testData.id }
    287. 

  287.       }, {
    288. 

  288.         headers: {
    289. 

  289.           'Authorization': `Bearer ${testToken1}`
    290. 

  290.         }
    291. 

  291.       });
    292. 

  292. 

  293.       console.debug('获取无权详情响应状态:', response.status);
    294. 

  294.       expect(response.status).toBe(404); // 权限验证失败返回404
    295. 

  295.     });
    296. 

  296. 

  297.     it('应该处理不存在的资源', async () => {
    298. 

  298.       const response = await client[':id'].$get({
    299. 

  299.         param: { id: 999999 }
    300. 

  300.       }, {
    301. 

  301.         headers: {
    302. 

  302.           'Authorization': `Bearer ${testToken1}`
    303. 

  303.         }
    304. 

  304.       });
    305. 

  305. 

  306.       expect(response.status).toBe(404);
    307. 

  307.     });
    308. 

  308.   });
    309. 

  309. 

  310.   describe('PUT /:id - 更新操作权限验证', () => {
    311. 

  311.     it('应该成功更新属于当前用户的数据', async () => {
    312. 

  312.       // 先创建测试数据
    313. 

  313.       const dataSource = await IntegrationTestDatabase.getDataSource();
    314. 

  314.       const testRepository = dataSource.getRepository(TestEntity);
    315. 

  315.       const testData = testRepository.create({
    316. 

  316.         name: '原始数据',
    317. 

  317.         userId: testUser1.id
    318. 

  318.       });
    319. 

  319.       await testRepository.save(testData);
    320. 

  320. 

  321.       const updateData = {
    322. 

  322.         name: '更新后的数据'
    323. 

  323.       };
    324. 

  324. 

  325.       const response = await client[':id'].$put({
    326. 

  326.         param: { id: testData.id },
    327. 

  327.         json: updateData
    328. 

  328.       }, {
    329. 

  329.         headers: {
    330. 

  330.           'Authorization': `Bearer ${testToken1}`
    331. 

  331.         }
    332. 

  332.       });
    333. 

  333. 

  334.       console.debug('更新数据响应状态:', response.status);
    335. 

  335.       expect(response.status).toBe(200);
    336. 

  336. 

  337.       if (response.status === 200) {
    338. 

  338.         const data = await response.json();
    339. 

  339.         expect(data.name).toBe(updateData.name);
    340. 

  340.         expect(data.userId).toBe(testUser1.id);
    341. 

  341.       }
    342. 

  342.     });
    343. 

  343. 

  344.     it('应该拒绝更新不属于当前用户的数据', async () => {
    345. 

  345.       // 先创建属于用户2的数据
    346. 

  346.       const dataSource = await IntegrationTestDatabase.getDataSource();
    347. 

  347.       const testRepository = dataSource.getRepository(TestEntity);
    348. 

  348.       const testData = testRepository.create({
    349. 

  349.         name: '用户2的数据',
    350. 

  350.         userId: testUser2.id
    351. 

  351.       });
    352. 

  352.       await testRepository.save(testData);
    353. 

  353. 

  354.       const updateData = {
    355. 

  355.         name: '尝试更新的数据'
    356. 

  356.       };
    357. 

  357. 

  358.       // 用户1尝试更新用户2的数据
    359. 

  359.       const response = await client[':id'].$put({
    360. 

  360.         param: { id: testData.id },
    361. 

  361.         json: updateData
    362. 

  362.       }, {
    363. 

  363.         headers: {
    364. 

  364.           'Authorization': `Bearer ${testToken1}`
    365. 

  365.         }
    366. 

  366.       });
    367. 

  367. 

  368.       console.debug('更新无权数据响应状态:', response.status);
    369. 

  369.       expect(response.status).toBe(500); // 权限验证失败会抛出错误
    370. 

  370. 

  371.       if (response.status === 500) {
    372. 

  372.         const data = await response.json();
    373. 

  373.         expect(data.message).toContain('无权');
    374. 

  374.       }
    375. 

  375.     });
    376. 

  376.   });
    377. 

  377. 

  378.   describe('DELETE /:id - 删除操作权限验证', () => {
    379. 

  379.     it('应该成功删除属于当前用户的数据', async () => {
    380. 

  380.       // 先创建测试数据
    381. 

  381.       const dataSource = await IntegrationTestDatabase.getDataSource();
    382. 

  382.       const testRepository = dataSource.getRepository(TestEntity);
    383. 

  383.       const testData = testRepository.create({
    384. 

  384.         name: '待删除数据',
    385. 

  385.         userId: testUser1.id
    386. 

  386.       });
    387. 

  387.       await testRepository.save(testData);
    388. 

  388. 

  389.       const response = await client[':id'].$delete({
    390. 

  390.         param: { id: testData.id }
    391. 

  391.       }, {
    392. 

  392.         headers: {
    393. 

  393.           'Authorization': `Bearer ${testToken1}`
    394. 

  394.         }
    395. 

  395.       });
    396. 

  396. 

  397.       console.debug('删除数据响应状态:', response.status);
    398. 

  398.       expect(response.status).toBe(204);
    399. 

  399. 

  400.       // 验证数据确实被删除
    401. 

  401.       const deletedData = await testRepository.findOne({
    402. 

  402.         where: { id: testData.id }
    403. 

  403.       });
    404. 

  404.       expect(deletedData).toBeNull();
    405. 

  405.     });
    406. 

  406. 

  407.     it('应该拒绝删除不属于当前用户的数据', async () => {
    408. 

  408.       // 先创建属于用户2的数据
    409. 

  409.       const dataSource = await IntegrationTestDatabase.getDataSource();
    410. 

  410.       const testRepository = dataSource.getRepository(TestEntity);
    411. 

  411.       const testData = testRepository.create({
    412. 

  412.         name: '用户2的数据',
    413. 

  413.         userId: testUser2.id
    414. 

  414.       });
    415. 

  415.       await testRepository.save(testData);
    416. 

  416. 

  417.       // 用户1尝试删除用户2的数据
    418. 

  418.       const response = await client[':id'].$delete({
    419. 

  419.         param: { id: testData.id }
    420. 

  420.       }, {
    421. 

  421.         headers: {
    422. 

  422.           'Authorization': `Bearer ${testToken1}`
    423. 

  423.         }
    424. 

  424.       });
    425. 

  425. 

  426.       console.debug('删除无权数据响应状态:', response.status);
    427. 

  427.       expect(response.status).toBe(500); // 权限验证失败会抛出错误
    428. 

  428. 

  429.       if (response.status === 500) {
    430. 

  430.         const data = await response.json();
    431. 

  431.         expect(data.message).toContain('无权');
    432. 

  432.       }
    433. 

  433. 

  434.       // 验证数据没有被删除
    435. 

  435.       const existingData = await testRepository.findOne({
    436. 

  436.         where: { id: testData.id }
    437. 

  437.       });
    438. 

  438.       expect(existingData).not.toBeNull();
    439. 

  439.     });
    440. 

  440.   });
    441. 

  441. 

  442.   describe('禁用数据权限控制的情况', () => {
    443. 

  443.     it('当数据权限控制禁用时应该允许跨用户访问', async () => {
    444. 

  444.       // 创建禁用数据权限控制的路由
    445. 

  445.       const noPermissionRoutes = createCrudRoutes({
    446. 

  446.         entity: TestEntity,
    447. 

  447.         createSchema: createTestSchema,
    448. 

  448.         updateSchema: updateTestSchema,
    449. 

  449.         getSchema: getTestSchema,
    450. 

  450.         listSchema: listTestSchema,
    451. 

  451.         dataPermission: {
    452. 

  452.           enabled: false, // 禁用权限控制
    453. 

  453.           userIdField: 'userId'
    454. 

  454.         }
    455. 

  455.       });
    456. 

  456. 

  457.       const noPermissionClient = testClient(noPermissionRoutes);
    458. 

  458. 

  459.       // 创建属于用户2的数据
    460. 

  460.       const dataSource = await IntegrationTestDatabase.getDataSource();
    461. 

  461.       const testRepository = dataSource.getRepository(TestEntity);
    462. 

  462.       const testData = testRepository.create({
    463. 

  463.         name: '用户2的数据',
    464. 

  464.         userId: testUser2.id
    465. 

  465.       });
    466. 

  466.       await testRepository.save(testData);
    467. 

  467. 

  468.       // 用户1应该能够访问用户2的数据(权限控制已禁用)
    469. 

  469.       const response = await noPermissionClient[':id'].$get({
    470. 

  470.         param: { id: testData.id }
    471. 

  471.       }, {
    472. 

  472.         headers: {
    473. 

  473.           'Authorization': `Bearer ${testToken1}`
    474. 

  474.         }
    475. 

  475.       });
    476. 

  476. 

  477.       console.debug('禁用权限控制时的响应状态:', response.status);
    478. 

  478.       expect(response.status).toBe(200);
    479. 

  479. 

  480.       if (response.status === 200) {
    481. 

  481.         const data = await response.json();
    482. 

  482.         expect(data.id).toBe(testData.id);
    483. 

  483.         expect(data.userId).toBe(testUser2.id);
    484. 

  484.       }
    485. 

  485.     });
    486. 

  486.   });
    487. 

  487. });
    488.